Former Owners of Medical Billing Practice, Pathology Groups Agree to Pay $140,000 to Settle Claims that Patients’ Health Information was Disposed of at Georgetown Dump

BOSTON – Former owners of a Marblehead-based medical billing practice and four pathology groups have agreed to collectively pay $140,000, settling allegations that sensitive medical records and confidential billing information for tens of thousands of Massachusetts patients were improperly disposed of at a public dump, Attorney General Martha Coakley announced today.

The complaint, filed in Suffolk Superior Court along with consent judgments that were approved today, alleges that Joseph and Louise Gagnon, d/b/a Goldthwait Associates, violated state data security laws when they mishandled and improperly disposed of medical records containing personal information and protected health information from four Massachusetts pathology groups at the Georgetown Transfer Station. The medical records contained information for more than 67,000 residents including names, Social Security numbers, and medical diagnoses that were not redacted or destroyed when they were dumped.

“Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors,” AG Coakley said. “We believe this data breach put thousands of patients at risk, and it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again.”

This matter came to the public’s attention in July 2010 when a Boston Globe photographer was disposing of his own trash at the Georgetown Transfer Station and observed a large mound of paper which, upon closer inspection, he determined were medical records. His discovery was first reported in the Globe shortly thereafter.

The AG’s Office alleges that these pathology groups violated HIPAA regulations by failing to have appropriate safeguards in place to protect the personal information they provided to Goldthwait Associates, and violated state data security regulations by not taking reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect such confidential information.

According to the complaint, the Gagnons ran Goldthwait Associates – which primarily provided medical billing services for pathology groups – and received sensitive medical records and billing information of clients in order to send medical bills on behalf of the groups. The Gagnons retired from Goldthwait Associates and the medical billing business in 2010.

Each of the four pathology groups and the Gagnons agreed to entry of consent judgments to resolve the AG’s allegations. Under the settlements, the defendants have agreed to pay a total of $140,000 for civil penalties, attorney fees, and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.

The AG’s Office is focused on ensuring that health care practices and their business associates abide by the state and federal data privacy requirements. Recent efforts include the $750,000 settlement with South Shore Hospital in May 2012, resolving allegations that it failed to protect the personal and confidential health information of more than 800,000 patients.

AG Coakley is also leading an educational effort in the area of data privacy. A first-of-its-kind data privacy training – sponsored jointly by the AG’s Office and the Massachusetts Medical Society – was held in October 2012 and focused on health care entities, including speakers from state and federal government and the private sector. A second training is being held this Thursday in cooperation with the Massachusetts Hospital Association.

This matter is being handled by Assistant Attorneys General Wendoly Ortiz Langlois of the Health Care Division and Shannon Choy-Seymour of the Consumer Protection Division.

BOSTON – Former owners of a Marblehead-based medical billing practice and four pathology groups have agreed to collectively pay $140,000, settling allegations that sensitive medical records and confidential billing information for tens of thousands of Massachusetts patients were improperly disposed of at a public dump, Attorney General Martha Coakley announced today.

The complaint, filed in Suffolk Superior Court along with consent judgments that were approved today, alleges that Joseph and Louise Gagnon, d/b/a Goldthwait Associates, violated state data security laws when they mishandled and improperly disposed of medical records containing personal information and protected health information from four Massachusetts pathology groups at the Georgetown Transfer Station. The medical records contained information for more than 67,000 residents including names, Social Security numbers, and medical diagnoses that were not redacted or destroyed when they were dumped.

“Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors,” AG Coakley said. “We believe this data breach put thousands of patients at risk, and it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again.”

This matter came to the public’s attention in July 2010 when a Boston Globe photographer was disposing of his own trash at the Georgetown Transfer Station and observed a large mound of paper which, upon closer inspection, he determined were medical records. His discovery was first reported in the Globe shortly thereafter.

The AG’s Office alleges that these pathology groups violated HIPAA regulations by failing to have appropriate safeguards in place to protect the personal information they provided to Goldthwait Associates, and violated state data security regulations by not taking reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect such confidential information.

According to the complaint, the Gagnons ran Goldthwait Associates – which primarily provided medical billing services for pathology groups – and received sensitive medical records and billing information of clients in order to send medical bills on behalf of the groups. The Gagnons retired from Goldthwait Associates and the medical billing business in 2010.

Each of the four pathology groups and the Gagnons agreed to entry of consent judgments to resolve the AG’s allegations. Under the settlements, the defendants have agreed to pay a total of $140,000 for civil penalties, attorney fees, and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.

The AG’s Office is focused on ensuring that health care practices and their business associates abide by the state and federal data privacy requirements. Recent efforts include the $750,000 settlement with South Shore Hospital in May 2012, resolving allegations that it failed to protect the personal and confidential health information of more than 800,000 patients.

AG Coakley is also leading an educational effort in the area of data privacy. A first-of-its-kind data privacy training – sponsored jointly by the AG’s Office and the Massachusetts Medical Society – was held in October 2012 and focused on health care entities, including speakers from state and federal government and the private sector. A second training is being held this Thursday in cooperation with the Massachusetts Hospital Association.

This matter is being handled by Assistant Attorneys General Wendoly Ortiz Langlois of the Health Care Division and Shannon Choy-Seymour of the Consumer Protection Division.

Being just over two years away from celebrating 20 years in the document shredding and storage business, as a small business whose job is nothing but small, we felt like it was about time we started the celebration. We might be a little early, but hey, we're excited. We're excited because we've successfully been able to capture the trust of thousands of customers over the years who are in need of secure shredding or records management and who put their faith in us to keep their personal information safe. The reason for our success, we believe, along with many other things, is because we do things the right way. What is the right way, you ask? Well, there's only one when it comes to this business and we're doing it. There are a lot of ways to be doing it the "wrong" way and thankfully, we know that that's just not how to do business.

Although is may be a simple question, we get it a lot; "What do you do with my documents once you take them?" Since we are asked this so frequently, we figured that this would be the perfect opportunity to lay it all out and give you the inside look at how things are done (the right way!).

You can get all the facts in two minutes by watching our video, and then the nitty gritty (but really important stuff!) layed out below

Certified & Secure

Document Shredding

Document Storage &

Management

1. Your boxes of documents are picked up by our insured and bonded staff (loaded into our securely locked box truck designated spiecifically for destruction pick-up only).2. The number of boxes picked up are signed off by you as well as the retrieval driver. This is to ensure that you will be billed for only the number of boxes you and the retrieval team member agree upon. We do this since there are so many different sizedboxes to hold your documents these days,some larger than others, and may need tobe counted as two.3. Once the box number is agreed upon, yourboxes are transported in our locked destructionretrieval truck to our secure facility where thetruck has loading dock access and unloadsyour documents directly onto the shredder. That means that your documents are destroyedthe same day that they are retrieved. 4. All of the shreds from our shredder are baled and brought to a paper recycling plant to be repurposed. 5. Once payment has been recieved, you will besent a Certificate of Destruction for proof that youtook the secure measures required by law to safeguard sensitive information.

1. From the start, document storageand management takes a bit more time andplanning than document shredding. When you'reready to put your documents in a secure, climate controlled environment, we'llwalk you through each step and even cometo your office or place of business to assess your current situation and helpto tailor a storage plan to fit your needs.2. Once you're plan is made and you're readyto finally free up all that space your boxesare taking up (and if you don't have boxes,we can supply you with some, free of charge), we'll schedule a time for your storage retrievaltruck to come and retrieve your boxes for storage. 3. When the storage retrieval team arrives, they will perform a box level inventory and barcode each of your boxes. The inventory is made in anexcel spreadsheet and matches the descriptionof the box with the barcode number. The barcodesare scanned as each box is put on the truck to beginthe chain of custody. From here on, eveytime a boxis moved, it's barcode is scanned. These barcodes are also used to track the locationof your boxes in storage in case you need to retrieve either a box or a file from a box, all youneed to do is look at the inventory, see which filesare in which box, and send us the barcode numberfor the box that the files are in. 4. At the time the boxes are barcoded, you willreceive additional barcodes to put on any boxes thatyou comecome across in the future that will need tobe put into storage. You can either add this box to your inventory spreadsheet or we can do it for you!5. For your convenience, we have RSWeb, an webapplication that you can log into and request that filesbe delivered to you, request to come and access fileshere, or request that certain boxes be destroyed oncetheir retention time is up.

DO NOT, I repeat, DO NOT let this happen to you! Even though everyone says "oh, it won't happen to me", don't be that person. It can, and will, happen to you. What is 'it' though? 'It' is the heavy imposition of FINES on you for the improper disposal of sensitive information. These fines are imposed by both Massachusetts state laws (93H and 93I which require the proper destruction of information containing social security numbers, driver's license numbers, financial account numbers, and credit or debit card numbers) as well as federal regulations like HIPAA that require the secure destruction of PHI (protected healthcare information)as well as FACTA. If anything is to be taken away from this blog, it should be that the DUMPSTER is NO PLACE for the disposal of any kind of sensitive record. If you even have to question whether or not the information is "sensitive", then it probably is. Too many times companies, large and small, are exposed, and fined heavily, for disposing of sensitive information belonging to their clients, patients, or customers simply into the trash.

For the companies that don't heed warning and do not take the proper steps to ensure the security and proper disposal of sensitive information, they are used to make examples of what NOT to do. This is done by way of news reporters plastering the names of companies, and what they did, all over the headlines. For example, big corporations like RiteAid, Walgreens, and CVS were all EXPOSED for their improper disposal of private prescription information. Hitting closer to home, St. Elizabeth's Medical Center is investigating how patient financial information was found floating around on the streets outside of a building in Charlestown. Thankfully, the hospital is taking the correct measures to ensure that this does not happen again. Also, the hospital did what it is required to do by law when a data breach of this sort happens and they notified the Massachusetts Attorney General's office.

Then, we come across a more interesting situation where SHREDDED PAPER was used as confetti in the Macy's Thanksgiving day parade. So what's the big deal? We'll the shreds were very thick and cut perfectly horizontal across the paper so that perfectly clear lines of text were able to be read, including social security numbers, and other sensitive information. It is clear that a typical office shredder was used to shred these documents since that is the common level of "security" that an office shredder provides. The differences between an office shredder and a commercial shredder is the level of security in the 'cut' of the paper. Security levels 1-6 exist with the higher the level, the higher the security of the cut. Office shredders typicall have level 1 or 2 security where the shreds of paper are thick, easy to read and easy to reconstruct. Security levels 3 and 4 give consequtively smaller cuts of paper and allow for cross-cutting, inhibiting the readability of the shreds as well as inhibiting the ability to reconstruct the shreds. Security levels 5 and 6 are recommended for destroying top-secret government or research documents due to the shreds coming from this shredder being like grated-cheese. It is typical of a commercial shredding company to have a shredder with a security level from 3-6. Then, in some instances, a reputable shredding company will go one step further and have your shreds pulverized and recycled.

The one thing that could have made a huge difference in each of these three situations is if the drug stores, the hospitals, and the police stations had all used a document shredding and storage company for their storage and destruction needs. Although the actions of safe and secure document storage and destruction seem straight forward and simple, they are best to be left in the hands of those companies who make it their sole purpose to protect information (yes, even AFTER it is shredded!).

One of the biggest changes to the shredding industry over the years is the appearance of the "Mobile Shredding Truck". Usually coming fully equipped with a shredder, tv monitor, and a big bad name, shredding trucks have their good qualities, but poor ones too. A lot of companies seem to enjoy the ability to view in "real time" the shredding of their documents. Unfortunately, what a lot of companies don't know is that on-site shredding can be performed by less than qualified staff and a less than qualified company.

Yes, you heard it right. Anyone with a cell phone, a one page website, and a truck can pass themselves off as a mobile shredding company. Are their services actually helping you become compliant with the laws? Do they have strict information security policies in place? What happens if the truck breaks down (like in the picture below). What is the level of security of the shredder that is being used in the truck? Some mobile shredding trucks have shown to actually let WHOLE CHECKS pass through, unshredder (proof is in the pudding, I mean picture, below). These are some things you need to question before electing to use a mobile shredding company.

How comfortable would you feel if yourdocuments were shredded in that mobile truck?

And then, ask yourself, how comfortable would you feel having a mobile shreddingtruck shred your documents when the shredder lets WHOLE CHECKS pass through?

Off-site shredding is done by a shredding company who has a warehouse (real estate), an industrial shredder, and a bonded and insured warehouse staff, at the very least. Usually, a company that performs off-site shredding also offers and performs other records management related services and they hold certifications and memberships in order to do so, adding to their legitimacy.

I like the analogy of likening an off-site shredding company to a bank. You give the bank your money but you don't see them put it in the vault, so how do you know it is safe and will be there when you need it? Because a bank is insured. With a bonded and insured shredding company, you have the same circumstances. You don't need to watch the shredding be performed to know that your document will be securely and properly disposed of due to associations like NAID, the National Association of Information Destruction. NAID is the association that verifies and puts their "stamp of approval" on those companies who follow the highest security measures in their shredding operations.

We aren't saying that you should not use a mobile shredding company (but you really shouldn't!) but what we are saying is, we don't think this mobile shredding trend is here to stay. What do you think? Feel free to leave you comments in the box below...

You read it right, we're asking: Do you know where your personal documents are? And no, we aren't talking about the documents you keep in a filing cabinet, in a kitchen drawer, or a home office. We're talking about the personal information you've left with anyone who you have ever given it to... your bank, your doctor, your lawyer, your accountant, etc. Do you know what is done with your documents? Well, in most cases, youshould feel secure leaving your information with a reputable company who uses a professional document shredding service to securely destroy your information. Unfortunatly, as detailed in this news video, sometimes your personal information can be just thrown in the trash by those who have no regard for the safety of their clients or patients information.

A trash collector found these documentscontaining sensitive personal information in a dumpster, and even found a copy of a socialsecurity card.

So now you ask, well how can I be sure that the people who deal with my sensitive information aren't just throwing it away? Of course you cannot police them, but what you can do is be an educated consumer of the services you are using, and when you know your sensitive information is going to be in the hands of a service provider, all you have to do is ASK! Don't be afraid, your identity and financial information may be at risk. All it takes is a simple question of "will all of my information be securely shredded when you're done with it?". The answer will either be "Why of course, we use company XYZ to shred all of your client/patient information" or it would be "No", or maybe "we plan on starting up services sometime in the near future", or any type of explanation to make it sound not-so-bad that they aren't using a shredding company. Either way, when you ask, you are only doing a service to yourself and the fellow consumer. Maybe your question will prompt that company to call their shredding service provider to have them remove sensitive documents (some of which may be yours!), or, maybe your question will prompt them to START using a document shredding company. The outcome will be positive, no matter what.

As a consumer, you have a right to DEMAND the safety of your information. Thankfully, Massachusetts and most states have laws that affect the types of businesses that handle sensitive information and so you can feel comfortable knowing that those businesses are required by law to keep your information safe. Regardless, it never hurts to ask. You never know whose sensitive information you could be keeping from going into the trash.

Next time you're thinking of using a personal shredder for the disposal of your credit card statements, bank account information, insurance policy information, or even those "junk mail" credit card offers, you may want to think again. In a recent article by MSN money, the personal shredder was shown to fall "below the cut" when it comes to document security and keeping your sensitive information out of the hands of identity thieves. The article highlights how earlier in the year, a couple was arrested and charged with identity theft after putting back together the shreds from a personal shredder that were discarded in a trash bag. From these reassembled shreds, the perps were able to gain access to routing numbers and bank accounts and stole over $1,000 from a local church by using fraudulent checks (it was later discovered by detectives that the theives had machinery that used the shreds to reconstruct checks and pass them off as legitimate).

So what is the difference between a personal shredder and a shredding company? Are you thinking that they do the same things? If so, think again! Personal shredders are much different than industrial shredders, and what is done with the shreds afterwards is done so that even beyond the shredding process, your information is kept secure until it is completely obliterated, and turned into pulp, without the chance of anyone having access to it ever again.

Personal Shredder Shreds

(typically strip-cut)

Industrial Shredder Shreds

(highest security available)

Let Safeguard Records Management securely, and properly destroy your information and help you feel confident in the security of your information, even after it has been shredded. To request more information, or to request a quote, click on any of the following buttons. You'll be happy (and feel more secure) that you did!

So shredding your documents sounds easy, right? Well, part of the process is easy, the part where you find a reputable vendor. There are many shredding companies out there that offer a wide range of services to suit the needs of any size company (and even those who need to have personal shredding done). A reputable vendor can take care of the grunt work for you by performing the hard labor, picking-up your documents and either shredding them or storing them. The not-so-easy part of protecting your sensitive documents is being compliant with data protection laws in ALL facets... having a reputable vendor is just the "tail-end" of compliance.

Before you go looking for a company toshred your information, you need to take a look at the laws that affect you that govern what measures need to be taken in the data protection process. Although reading through each law is important (yes, tedious, but necessary), one important yet ambiguous part of the laws is that they are not specific. In fact, they are not specific for a specific reason. Most laws use terminology such as "reasonable measures" when it comes to what you "must do" in order to protect your clients or patients sensitive information. So what does a "reasonable measure" constitute? Well it depends on a lot. What you must do, though, is to spend time working out what is reasonable cost-wise and effort-wise for your entity and then draft a written policy on the measures that you have decided to implement.

Your written policy should at the very least include the following:

-What your entity considers sensitive information

-What should be done when someone in your entity needs to dispose of sensitive information

-What training will be given to employees to ensure that all sensitive information is disposed of properly

-What vendor you will be using for shredding and document storage

-What your emergency plan is in the event a natural disaster strikes in the area of your office location

-What your plan is in the event of a security breach in your office

Don't know where to start now? Well here's a place, download our Compliance Packet by clicking the button below and get our 11 page packet that includes a summary of Massachusetts Data Protection Laws 93H & 93I, a compliance checklist, and an example of Safeguard's Written Information Security Policy.

As a legal professional, you generate tons and tons of files and confidential client information. Your industry or professional associates counsels you on what you should be doing with this information, how long you should keep it for, and when it can disposed of. Implementing the safe-keeping and safe destruction of your files though, is what is not so straight forward. Your private information is sacred to you, and you are probably weary of letting it out of your sight and handing it off to some self-storage company or leaving it unsecured in the office basement, as you should be. Then when it comes time to destroy those files of yours whose retention time is up, do you have the office intern sit at a paper shredder and manually feed your papers into an office shredder? How are those "shreds" then disposed of? Hopefully not in the dumpster.

As you can see, there are a lot of questions that arise even with the counsel of your industry advising you on what files to keep and for how long. To get rid of your headache, that is where records management company comes in. A reputable records management company can provide safe, and secure storage in climate controlled conditions where your files can be kept for the remainder of their retention period. When that retention period ends, a reputable records management company will also be able to provide certified shredding where after the shredding, the shreds are recycled so that no traces of your information exist except for the white pulp that may then be used again to fulfill one's morning coffee desires.

It's that time of year again, time for spring cleaning. Usually most people spend daunting days and countless hours organizing their documents every year, but we think that should change. Instead of having everything pile up each year waiting to steal your precious spring days away from you to organize it all, why not implement a plan, a document organization plan, that would allow you to never have to waste spring days again??

We'll do you one better than just telling you that you should formulate a plan, we'll GIVE you the plan! And its SIMPLE! What could be better? If you follow our three-step plan, we know that these three steps will bring you closer to free spring days and futher away from docu-disaster.

Step 1: Digitize. When you come across important documents or files, scan them. Save them on a hard drive, disk, or flash drive. Ensure that these are all secure electronic storage methods by password protecting documents. If you can do this daily or even weekly and get into the habit of it, you will thank yourself in the long-run.

Step 2: Decide. So you've digitized important files. Now you need to decide whether or not the document should have a hard copy stored or if the document is safe to be securely shredded.

Step3: DO! Once you have decided to either store the documents or shred the documents, DO IT!

Having a certified and secure document shredding and archiving vendor can not only help to save you time in that you don't have to shred the documents yourself and office space in not having to store your documents on-site, but a vendor makes it easy to get in the habit of storing and shredding. If you have a box of documents you need to add to your storage account, just give them a call and they should be able to retrieve your box, barcode it, add it to your inventory, and securely store it for you. They should also be able to deliver any documents or files to you upon request. A vendor that stores your documents as well as shreds them is a blessing. Usually, a vendor can provide you with locked, slit-top shredding bins or console that can be placed in your office that you can place sensitive documents into whenever you come across them. Change out of full bin or console for an empty one is just a phone call away.